[Dailydave] DNS Speculation
Petja van der Lek
lek at xs4all.nl
Mon Jul 21 15:50:04 EDT 2008
It looks like you're channelling Dan Bernstein, 8 years after the fact.
See: <http://cr.yp.to/djbdns/notes.html>. What your diabolical scheme
boils down to is the inappropriate caching of out-of-zone glue records.
As far as I know, djbdns never cached out-of-zone glue records, and BIND
stopped doing that with version 9. Um, it did, right? (pokes the *real*
experts for support)
Cheers,
Lek.
Halvar Flake wrote:
[BIG SNIP]
> Mallory wants to poison DNS lookups on server ns.polya.com for the
> domain www.gmx.net. The nameserver
> for gmx.net is ns.gmx.net. Mallory's IP is 244.244.244.244.
>
> Mallory begins to send bogus requests for www.ulam00001.com,
> www.ulam00002.com ... to ns.polya.com.
> ns.polya.com doesn't have these requests cached, so it asks a root
> server "where can I find the .com NS?"
> It then receives a referral to the .com NS. It asks the nameserver for
> .com where to find the nameserver
> for ulam00001.com, ulam00002.com etc.
>
> Mallory spoofs referrals claiming to come from the .com nameserver to
> ns.polya.com. In these referrals, it
> says that the nameserver responsible for ulamYYYYY.com is a server
> called ns.gmx.net and that
> this server is located at 244.244.244.244. Also, the time to live of
> this referral is ... long ...
>
> Now eventually, Mallory will get one such referral spoofed right, e.g.
> the TXID etc. will be guessed properly.
> ns.polya.com will then cache that ns.gmx.net can be found at ...
> 244.244.244.244. Yay.
>
> The above is almost certainly wrong. Can someone with more insight into
> DNS tell me why it won't work ?
>
>
More information about the Dailydave
mailing list